[Cryptography] XChaCha20 standardized?
Jason Cooper
cryptography at lakedaemon.net
Fri Dec 8 16:45:04 EST 2017
Hi Tony,
On Mon, Dec 04, 2017 at 04:48:00PM -0800, Tony Arcieri wrote:
> On Mon, Dec 4, 2017 at 10:54 AM, Jason Cooper <cryptography at lakedaemon.net>
> wrote:
>
> > While digging into libsodium [1] (An ISC licensed chacha20-poly1305 AEAD
> > crypto library), I found they recently added support for
> > chacha20-poly1305-ietf and xchacha20-poly1305-ietf. The difference
> > between the original and these two new ones being nonce size.
> >
>
> XChaCha20 uses the HChaCha20 function to hash the longer nonce in the same
> manner as XSalsa20.
mmm, I think 'hash' is a strong word that may be used incorrectly here.
In the XSalsa20 paper, DJB states:
"The indices 0, 5, 10, 15, 6, 7, 8, 9 here were not chosen arbitrarily;
the choice is important for the security proof later in this paper."
If it were the output of a secure hash function, one could just use the
first 32 bytes of output (indices 0 - 7 inclusive).
However, I'm not a mathematician, so parsing the proof is proving (ha!)
difficult.
> This is somewhat unique to libsodium, although easily added to any other
> library that has ChaCha20/HChaCha20.
Agreed, which is what I'd like to do. But I'd prefer to avoid deploying
something only to have to support it after a slightly different version
achieved standardization. :-/
> > 1) Has anyone seen a formal specification of XChaCha20 anywhere?
> >
> > 2) Has anyone seen a formal security analysis of XChaCha20, akin to
> > DJB's analysis in the XSalsa20 paper?
> >
>
> No
Ok, glad I didn't miss something.
thx,
Jason.
More information about the cryptography
mailing list